Programming language: Java
License: MIT License
Tags: Security     Projects    

OTP-Java alternatives and similar libraries

Based on the "Security" category.
Alternatively, view otp-java alternatives based on common mentions on social networks and blogs.

  • Tink

    Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
  • DependencyCheck

    OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
  • The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
  • OpenAM

    OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
  • Topaz

    Cloud-native authorization for modern applications and APIs
  • SSLContext-Kickstart

    ๐Ÿ” A lightweight high level library for configuring a http client or server based on SSLContext or other properties such as TrustManager, KeyManager or Trusted Certificates to communicate over SSL TLS for one way authentication or two way authentication provided by the SSLFactory. Support for Java, Scala and Kotlin based clients with examples. Available client examples are: Apache HttpClient, OkHttp, Spring RestTemplate, Spring WebFlux WebClient Jetty and Netty, the old and the new JDK HttpClient, the old and the new Jersey Client, Google HttpClient, Unirest, Retrofit, Feign, Methanol, Vertx, Scala client Finagle, Featherbed, Dispatch Reboot, AsyncHttpClient, Sttp, Akka, Requests Scala, Http4s Blaze, Kotlin client Fuel, http4k Kohttp and Ktor. Also gRPC, WebSocket and ElasticSearch examples are included
  • Passay

    Password policy enforcement for Java.
  • Kalium

    Java binding to the Networking and Cryptography (NaCl) library with the awesomeness of libsodium
  • Password4j

    Java cryptographic library that supports Argon2, bcrypt, scrypt and PBKDF2 aimed to protect passwords in databases. Easy to use by design, highly customizable, secure and portable. All the implementations follow the standards and have been reviewed to perform better in the JVM.
  • Jwks RSA

    JSON Web Key Set parser.
  • SecurityBuilder

    Fluent builders with typesafe API for the JCA
  • JObfuscator

    JObfuscator is a source code obfuscator for the Java language. Protect Java source code & algorithms from hacking, cracking, reverse engineering, decompilation & technology theft.
  • jwt-java

    JSON Web Token implementation for Java according to RFC 7519. Easily create, parse and validate JSON Web Tokens using a fluent API.

Do you think we are missing an alternative of OTP-Java or a related project?

Add another 'Security' Library



Build & Test Codacy Badge

A small and easy-to-use one-time password generator for Java according to RFC 4226 (HOTP) and RFC 6238 (TOTP).

Table of Contents


The following features are supported:

  1. Generation of secrets
  2. Time-based one-time password (TOTP, RFC 6238) generation based on current time, specific time, OTPAuth URI and more for different HMAC algorithms.
  3. HMAC-based one-time password (HOTP, RFC 4226) generation based on counter and OTPAuth URI.
  4. Verification of one-time passwords
  5. Generation of OTP Auth URI's





implementation 'com.github.bastiaanjansen:otp-java:1.3.0'

Scala SBT

libraryDependencies += "com.github.bastiaanjansen" % "otp-java" % "1.3.0"

Apache Ivy

<dependency org="com.github.bastiaanjansen" name="otp-java" rev="1.3.0" />

Or you can download the source from the GitHub releases page.


HOTP (Counter-based one-time passwords)

Initialization HOTP instance

To create a HOTP instance, use the HOTP.Builder class as follows:

HOTP.Builder builder = new HOTP.Builder(secret);
HOTP hotp = builder.build();

The above builder creates a HOTP instance with default values for passwordLength = 6 and algorithm = SHA1. Use the builder to change these defaults:

HOTP.Builder builder = new HOTP.Builder(secret);

HOTP hotp = builder.build();

When you don't already have a secret, you can let the library generate it:

// To generate a secret with 160 bits
byte[] secret = SecretGenerator.generate();

// To generate a secret with a custom amount of bits
byte[] secret = SecretGenerator.generate(512);

It is also possible to create a HOTP instance based on an OTPAuth URI. When algorithm or digits are not specified, the default values will be used.

URI uri = new URI("otpauth://hotp/issuer?secret=ABCDEFGHIJKLMNOP&algorithm=SHA1&digits=6&counter=8237");
HOTP hotp = HOTP.fromURI(uri);

Get information about the generator:

byte[] secret = hotp.getSecret();
int passwordLength = hotp.getPasswordLength(); // 6
HMACAlgorithm algorithm = hotp.getAlgorithm(); // HMACAlgorithm.SHA1

Generation of HOTP code

After creating an instance of the HOTP class, a code can be generated by using the generate() method:

try {
    int counter = 5;
    String code = hotp.generate(counter);

    // To verify a token:
    boolean isValid = hotp.verify(code, counter);

    // Or verify with a delay window
    boolean isValid = hotp.verify(code, counter, 2);
} catch (IllegalStateException e) {
    // Handle error

TOTP (Time-based one-time passwords)

Initialization TOTP instance

TOTP can accept more paramaters: passwordLength, period, algorithm and secret. The default values are: passwordLength = 6, period = 30 and algorithm = SHA1.

// Generate a secret (or use your own secret)
byte[] secret = SecretGenerator.generate();

TOTP.Builder builder = new TOTP.Builder(secret);

    .withAlgorithm(HMACAlgorithm.SHA1) // SHA256 and SHA512 are also supported

TOTP totp = builder.build();

Or create a TOTP instance from an OTPAuth URI:

URI uri = new URI("otpauth://totp/issuer?secret=ABCDEFGHIJKLMNOP&algorithm=SHA1&digits=6&period=30");
TOTP totp = TOTP.fromURI(uri);

Get information about the generator:

byte[] secret = totp.getSecret();
int passwordLength = totp.getPasswordLength(); // 6
HMACAlgorithm algorithm = totp.getAlgorithm(); // HMACAlgorithm.SHA1
Duration period = totp.getPeriod(); // Duration.ofSeconds(30)

Generation of TOTP code

After creating an instance of the TOTP class, a code can be generated by using the now() method, similarly with the HOTP class:

try {
    String code = totp.now();

    // To verify a token:
    boolean isValid = totp.verify(code);
} catch (IllegalStateException e) {
    // Handle error

The above code will generate a time-based one-time password based on the current time. The API supports, besides the current time, the creation of codes based on timeSince1970 in seconds, Date, and Instant:

try {
    // Based on current time

    // Based on specific date
    totp.at(new Date());

    // Based on seconds past 1970

    // Based on an instant
} catch (IllegalStateException e) {
    // Handle error

Generation of OTPAuth URI's

To easily generate a OTPAuth URI for easy on-boarding, use the getURI() method for both HOTP and TOTP. Example for TOTP:

TOTP totp = new TOTP.Builder(secret).build();

URI uri = totp.getURI("issuer", "account"); // otpauth://totp/issuer:account?period=30&digits=6&secret=SECRET&algorithm=SHA1

Recovery Codes

Often, services provide "backup codes" or "recovery codes" which can be used when the user cannot access the 2FA device anymore. Often because 2FA device is a mobile phone, which can be lost or stolen.

Because recovery code generation is not part of the specifications of OTP, it is not possible to generate recovery codes with this library and should be implemented seperately.


OTP-Java is available under the MIT licence. See the LICENCE for more info.

Stargazers repo roster for @BastiaanJansen/otp-java

*Note that all licence references and agreements mentioned in the OTP-Java README section above are relevant to that project's source code only.